Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

How to prevent | stats count in a macro from triggering a remote search?

1

Using | stats count is often useful to do a quick test

| stats count | some search where you do not need event data

I wanted to use that mechanism/pattern in a macro that does modifications to a lookup. The macro is called/used by a workflow action

[test]
definition = | stats count | do stuff with a lookup
iseval = 0

Calling the macro triggers a remote search and takes much longer than doing the same directly in the search field in the default search view. Is there a way around this? Is this the wrong aproach? I could embed the search directly in the work flow action but I would like to pass on the name of the lookup that should get modified.

Update 09.09.2014

Thanks for you suggestions MuS & martin_mueller, they did not work for me at least not the way i tried them:

If I add splunk_server=local to the beginning of the macro a remote search is still triggered:

If I try with inputlookup as the first command of the macro I get an error:

If I just enter a | stats count in the search field the job inspector shows the following:

Thanks for the suggestion, the problem remains the same though. I am fine running this manually from search form but as soon as the command is packed into a macro a search is triggered. I think macros should either do a proper search or not be the first part of a search ... -> If I take the first pipe out of the macro I'm fine: | macro -> and the macro contains "inputlookup append=t somename" or "stats count"

Without the explicit pipe at the beginning the implicit search command gets added before macro replacement, effectively making the search * | stats count. Hence you're counting ALL the events, taking a long time.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.